Release Date: 14/02/2021 | Issue: 74
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
#ci/cd, #attack
Squatting valid internal package names is a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds.


Building a secure CI/CD pipeline for Terraform Infrastructure as Code
#aws, #ci/cd, #build
How the OVO team created a model for delivering infrastructure changes with robust security practices, and used to it build a secure Terraform CI/CD solution for AWS.


Defending Infrastructure as Code in GitHub Enterprise
#ci/cd, #defend
Paper examining a common deployment of infrastructure as code via GitHub Enterprise and HashiCorp Terraform, explores an attack scenario, examines attacker tradecraft within the context of the MITRE ATT&CK framework, and makes recommendations for defensive controls and intrusion detection techniques.


Initial Reaction to AWS Audit Manager
#aws, #explain
AWS Audit Manager is not quite there yet. The intent of the service is clear and you can begin to see the foundation of what this service could be. There are a few gaps that AWS Audit Manager will have to continue to improve upon to make this service usable for its customers.


Opting out of AWS AI data usage
#aws, #build
Why you should opt out of the AI data usage on AWS, how to do that, and how to confirm you did it correctly.


Learn How To Create Network Policies for Kubernetes
#k8s, #build
Tutorial that will teach you how to create a network policy using the Cilium Editor. It explains basic network policy concepts and guides you through the steps needed to achieve the desired least-privilege security policy.


Getting started with Kubernetes audit logs and Falco
#k8s, #monitor
What the Kubernetes audit logs are, what information they provide, and how to integrate them with Falco to detect suspicious activity in your cluster.


Enforce Custom Resource policies with Open Policy Agent Gatekeeper
#k8s, #defend
How to use Open Policy Agent and its Gatekeeper project to enforce policies when creating custom resources.


Wait Conditions in the Kubernetes Provider for HashiCorp Terraform
#terraform, #build
HashiCorp recently improved the wait_for configurations on several resources, as well as introduced an entirely new generic waiter. The new and improved configuration options allow you to specify whether Terraform should wait for a specific condition, or not, before continuing to apply your configuration or complete successfully.

Tools


iamlive
Generate basic AWS IAM policies using client-side monitoring of calls made from the AWS CLI or SDKs.


iam-role-enumeration
Another way to enumerate AWS IAM users/roles without being authenticated to the victim account.


cloudlist
Cloudlist is a tool for listing Assets (Hostnames, IP Addresses) from multiple Cloud Providers.


kctf
kCTF is a Kubernetes-based infrastructure for CTF competitions.

From the cloud providers


AWS Icon  New digital curriculum: Managing Amazon S3
AWS announced a free new digital curriculum: Managing Amazon Simple Storage Service, which covers techniques to simplify the management of S3 storage.


AWS Icon  Use new account assignment APIs for AWS SSO to automate multi-account access
How you can programmatically assign and audit access to multiple AWS accounts for your AWS Single Sign-On (SSO) users and groups, using the AWS Command Line Interface (AWS CLI) and AWS CloudFormation.


GCP Icon  Don't fear the authentication: Google Drive edition
Just as you can share a Drive folder with a person, you can also share a Drive folder with an IAM service account. Or a Sheet, or a Doc. Whatever it is you want to integrate into your GCP application.


GCP Icon  6 best practices for effective Cloud NAT monitoring
Best practices for effective Cloud NAT monitoring in GCP: monitor port utilization, monitor the reasons behind Cloud NAT drops, leverage log-based metrics, monitor top endpoints and their drops, baseline a normalized error rate.


GCP Icon  Centrally Managing Artifact Registry Container Image Vulnerabilities on Google Cloud
How to utilize Pub/Sub and Cloud Functions to store project level container image vulnerabilities in a centralized service or location.


GCP Icon  Google Cloud samples
Search for samples demonstrating the usage of Google Cloud products, across ML APIs, Storage, serverless, and more. You can filter by language and product.


Azure Icon  Azure DDoS Protection - 2020 year in review
The prevalence of Distributed Denial-of-Service (DDoS) attacks in 2020 has grown more than 50 percent with increasing complexity and a significant increase in the volume of DDoS traffic.


Azure Icon  Baseline architecture for an Azure Kubernetes Service (AKS) cluster
Recommendations for networking, security, identity, management, and monitoring of AKS clusters based on an organization's business requirements.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.